PCI Risk Assessment Guidelines are No Silver Bullet

Need a leg up on establishing a good risk assessment methodology to comply with the PCI DSS section 12.1.2 regulations? You're in luck, sort of. The Payment Card Industry Security Standards Council's (PCI SSC) has released guidelines for all organizations that store, process, or transmit cardholder data to help in the design and implementation of risk assessments that are specific to an entity's particular business environment and to assist in the task of better identifying vulnerabilities which could have an impact on the security of cardholder data. If only it were that simple.

The Risk Assessment Guidelines Information Supplement (.pdf) guidelines were developed by the PCI Risk Assessment Special Interest Group (SIG), and outline how companies can formulate a customized risk assessment process that will allow for the discovery of emerging
threats so they can be addressed in a proactive manner, prior to a data loss event.

"When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate, to ensure their particular risk objectives are met," the new PCI SSC guidelines state.

The PCI SIG that developed the guidelines was made up of stakeholder representatives from assorted merchants, banks, security auditors and relevant technology vendors to enable organizations to more easily "prioritize risk-mitigation efforts to address the most critical risks first and more effectively implement threat-reducing controls and determine how to effectively segment environments to isolate sensitive networks."

The guidelines indicate that the key factors required for proper risk assessment in a specific business environment should include threat identification, a forward-thinking mitigation approach, additional training, and recommends that companies make an effort to keep the process simple, which is the real trick according to payment industry governance expert who writes under the handle "PCI Guru".

"The SIG recommends at the back of their document to 'keeping it simple,' yet references methodologies/frameworks such as ISO 27005, NIST SP800-30 and OCTAVE. Anyone who has ever worked with these methodologies/frameworks knows they are anything but simple. It is the complexity surrounding these methodologies/frameworks as to why risk assessments are typically the most poorly done portion of an organization's risk management program," PCI Guru told Security Bistro.

While the PCI SIG has produced a good description of how an organization can best approach the challenge of creating a reasonable methodology for risk assessment that is specific to their business activities, the task of identifying emerging threats and vulnerabilities before they can be exploited is going to require a great deal of effort and resources on the part of those governed by the PCI DSS standards.

PCI Guru says this will likely ruffle the feathers of those subject to the standards who have long complained that PCI DSS is a "cram-down" compliance approach that is expensive, complicated and difficult to maintain, but unfortunately there is no easy way to ensure the security of this sensitive data.

"I can hear the complaints now from the merchants and service providers about the difficulty in developing the list of risks and threats. Everyone wants a short cut these days to getting their job done. Unfortunately, with a risk assessment, there are no short cuts."

Share this post:

You May Also Be Interested In:

Anthony M. Freed is an information security journalist and editor who has authored numerous feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets, including The New York Times, Reuters, The Register, Financial Times of London, MSNBC, Fox News, PC/IT/Computer/Tech World, eWeek, SC Magazine, CSO Magazine, Federal News Radio, The Herald-Tribune, Naked Security, and many more. Anthony was the Managing Editor of Infosec Island, an online community designed for IT and network professionals who manage security, risk and compliance issues.